Life notes and ideas from a security pro who lives in the mountains and does a lot of cycling, skiing, dirt biking, writing, coding, and thinking. Twitter @k3strel

Friday, January 24, 2014

RBS World Pay Compromise - One of the more sophisticated hacks of our time

The RBS World Pay compromise is a great example for applying to the Criminal Cost-Benefit Model. If you aren't familiar with this attack, it is worth studying. It shows you just how far a criminal with computer hacking skills is willing to go to steal a few million bucks.

On November 8, 2008, an army of cashers armed with
compromised pre-paid payroll cards descended on ATMs located in over 280 cities
around the world and withdrew $9.5 million in cash in a twelve-hour period. The
cashers kept their commission, 30-50% of the take, and wired the remainder to
the scheme masterminds. The four leaders of the heist had previously broken in
to the Royal Bank of Scotland WorldPay network and stolen data for 44 pre-paid
payroll cards, cracked the payroll card PIN encryption, raised the funds
available on each account up to as high as $500,000, and changed the daily ATM
withdraw limit allowed. The timing of the change of the funds available and daily withdraw limits was done just before the cashers were to begin their global withdraw. During the heist the hackers monitored the withdraw
transactions remotely from the RBS WorldPay systems and, once the heist was
finished, they attempted to cover their tracks on the RBS network.[1]

This was a well-thought out attack – perhaps one of the
most sophisticated financial system hacks to date. I think these guys were
well aware of the risks as they planned out this attack.

·Monetary Benefit (Mb) – Very High.
Assuming that the hackers collected 50% of the $9.5 million, they each stood to
make $1.125 million .

·Psychological Benefit (Pb) – Low.

·Cost of Crime Perpetration (Ocp) –
Moderate. Their primary cost in perpetrating the attack was the opportunity
cost of their time spent in planning and execution.

·Cost of Legal Defense and Incarceration –
Moderate. Speaking on the indictment of the criminals, even the attorney
responsible for prosecution was impressed they were able to solve the case.
“The charges brought against this highly sophisticated international hacking
ring were possible only because of unprecedented international cooperation with
our law enforcement partners.”[2]